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TECHNICAL  EVALUATION  REPORT 

by 

Billy  L.Dove  and  James  B.Oary 
Technical  Program  Co-Chairmen 


EXECUTIVE  SUMMARY 
OBJECTIVES 

The  inherent  logical  makeup  of  digital  systems  presents  the  opportunity  for  improving  the  maintainability  of  complex 
avionic  systems.  While  there  was  limited  success  in  the  early  use  of  Built-In-Self-Test  and  Built-In-Test  (BIST/BIT),  higher 
levels  of  circuit  integration  now  offer  even  greater  opportunities  and  challenges  to  avionic  systems  designers.  However,  while 
past  and  current  digital  systems  designs  have  BIST/BIT  as  an  add-on  feature,  future  avionic  system  designs  must  be  designed 
for  maintainability.  Recently,  improved  techniques  and  tools  to  support  design  for  maintainability  have  become  available  to 
avionics  systems  designers.  If  used  appropriately,  these  new  approaches  can  lead  to  dramatic  improvements  in  avionic 
systems  maintainability. 

The  objective  of  this  symposium  was  to  present,  for  review  and  discussion,  advanced  methods  and  tools  to  support 
design  for  avionic  maintainability.  Since  modern  avionic  systems  consist  of  programmable  processors,  both  hardware  and 
software  design  for  maintainability  issues  and  approaches  were  discussed.  • 

GENERAL 

The  symposium  was  held  May  7—  1 0  in  Brussels,  Belgium. 

Approximately  1(15  people  were  registered. 

Twenty-five  papers  were  presented.  In  addition,  there  was  a  round  table  discussion,  a  technical  tour  of  a  new  Bell 
Telephone  Facility  for  fabricating  hybrid  and  integrated  circuits  in  Ghent  and  a  lour  of  the  Belgian  Air  Force  Test  Facility  in 
Brussels. 


CONCLUSIONS 

•  There  is  a  need  for  improved  communications  between  avionic  systems  users  and  developers. 

•  Design  for  maintainability  concepts  and  technology  to  implement  them  exist  but  need  further  work. 

•  Both  hardware  and  software  design  for  maintainability  are  important  in  avionic  systems. 

•  The  "false  alarm"  problem  with  BIST/BIT  is  a  significant  problem  in  avionics  maintenance  today. 

•  Future  avionic  systems  arc  being  designed  that  use  artificial  intelligence  approaches,  including  ones  for  the  Mirage 
2000  and  the  F- 1 8. 


TECHNICAL  SESSIONS 

The  meeting  was  organized  to  present  the  views  of  both  the  users  and  the  developers  of  tactical  avionics.  Both  hardware 
and  software  were  discussed.  There  were  five  sessions,  defined  as  follows: 

Session  I  Experience  with  Avionics  Hardware  Maintainability 
Session  II  Avionics  Hardware  Design  for  Testability 
Session  III  Experience  with  Avionics  Software  Maintainability 
Session  IV  Avionics  Software  Design  for  Testability 

Session  V  Future  Avionics  Maintainability  Through  Hardwarc/Software  Co-Design 


OPENING  SESSION 


0.  Keynote  Address 
Colonel  F.  Kennis 

In  the  1 950s,  maintenance  was  easy.  There  were  lots  of  planes,  spare  parts  and  maintenance  personnel.  But  as  the 
complexity  increased,  it  became  expensive  to  keep  spares  and  skilled  personnel.  Today,  there  are  new  problems,  including 
not  being  able  to  duplicate  errors  and  not  finding  faults  in  the  shop  because  the  test  tolerances  are  not  the  same  as  on  the 
aircraft.  In  the  future,  there  should  be  better  organization  between  groups,  both  in  design  and  maintenance.  The  software 
should  be  more  modular  and  better  documented.  The  BIT  should  be  correct  with  easy  replacement  of  failed  modules  and 
there  should  be  better  integration  of  maintenance. 

1 .  Objeclifs  d  'Etude  de  la  Maintenabilite  des  Systemes  A  vionnes 
B.Courtois 

Maintenance  on  the  Mirage  III,  FI,  and  2000  were  compared.  The  2000  has  a  centrally  managed  data  bus  for  both  on- 
and  off-line  functional  testing.  For  second  line  maintenance,  there  is  all  purpose  ATE  with  specific  test  benches.  The 
problems  include  lengthy  software  tests,  little  use  of  information  from  the  plane,  ambiguities  in  the  fault  location,  and  too 
many  specialized  test  benches.  To  reduce  maintenance  costs,  it  is  recommended  that  external  test  equipment  be  reduced, 
time  spent  for  fault  detection  and  isolation  reduced,  false  removals  be  minimized,  and  the  number  of  mechanics  needed 
should  be  cut.  There  should  be  a  global  maintenance  policy,  including  a  technical  definition,  integrated  self  tests,  and 
artificial  intelligence. 

2.  Joint  Service  Design  for  Testability  Program 
W.L.Keiner 

The  Joint  Logistics  Commanders  (JLC)  have  established  a  program  to  coordinate  development  of  testing  technology 
and  its  management  within  the  military  services.  In  the  area  of  testability,  they  have  programs  for  testability  program 
standards,  testability  analysis  handbook,  electronic  testability  guide,  built-in  test  guide,  and  a  design  for  testability  (DFT) 
course.  In  DFT,  they  are  looking  at  enhanced  partitioning,  increased  test  control,  increased  test  access,  improved  BIT,  and 
decreased  costs.  They  are  directing  research  in  testability  techniques  and  measures. 

Session  I  —  Experience  with  Avionics  Hardware  Maintainability 
J.M.B.G.Mascarenhas,  Chairman 

3.  Test  Integre  (BIT):  Impact  sur  le  Cout  Global  de  Possession 
M.Kervella 

The  built-in  lest  is  important  for  aircraft  and  can  be  incorporated  into  the  test  strategy  for  multilevel  testing.  One  wants 
to  locate  the  faults  as  quickly  as  possible  with  personnel  who  have  knowledge  of  the  tests,  but  not  the  system.  BIT  has  been 
included  in  recent  Mirage  aircraft.  From  the  FIC  to  the  2000,  they  have  experienced  a  decrease  in  reliability,  a  decrease  in 
the  length  of  test  times,  no  ATE  for  first  line  maintenance,  lower  removal  rates  (from  30%  to  20%),  decrease  in  procurement 
costs  for  first  line  testing,  and  an  increase  in  operation  cost  for  first  line  testing. 

4.  Study  and  Realisation  of  a  Third  Level  Maintenance  Center  Based  on  A  TE  Systems  Utilisation 
F.Bozzola 

The  development  of  a  third  level  maintenance  center  based  on  ATE  was  discussed.  They  analyzed  the  problem, 
specifying  both  the  hardware  and  the  software  needed  prior  to  acquiring  a  system.  This  system,  based  on  computers  rather 
than  specific  ATE,  is  flexible  and  expandable  by  adding  additional  hardware.  To  train  personnel,  they  have  short  course 
modules.  They  expect  80—90%  fault  coverage  from  programs  which  take  320—640  man-hours  to  develop,  including 
documentation.  They  see  a  need  for  bare  boards,  removable  coatings,  bus  accessibility,  using  connectors  not  wires,  bringing 
test  points  out  to  a  connector,  accessible  initialization  points  set/reset  accessibility,  normalized  pin  arrays,  and  updated 
configuration  and  management  information. 

5.  A  Practical  Example  of  Reducing  Life  Cycle  Costs  and  Increasing  A  vailability 
R.P.F.Lauder 

Reliable  components  are  only  ten  per  cent  of  the  reliability  picture.  The  rest  must  be  grown  through  testing.  Mr  Lauder 
feels  the  military  could  use  many  commercial  (cheaper)  components.  Reliable  connections  are  one  of  the  biggest  problems. 
One  must  reduce  mean  down  time  to  increase  availability.  An  example  was  given  of  improvements  made  on  an  existing  radar 
system  to  increase  availability. 

7.  ATE  User's  View  on  Design  for  Maintainability 

J.  M,  B.  G.  Mascarenhas 

Portugal  has  set  up  a  test  facility  with  ATE  and  advanced  software.  They  have  developed  a  TPA  —  test  package 
adapter,  one  TPA  per  unit  under  test.  Suggestions  for  DFT  include  having  an  ATE  engineer  on  the  design  team,  a  standard 
ATE  description  language,  the  ability  to  stop  the  free  running  of  a  circuit,  an  interruptable  feedback  loop,  test  point 


accessibility  through  the  connectors,  complete  and  clear  definition  of  the  initial  state  which  is  not  time  dependent,  use  of 
sockets,  including  BIT,  big  memories  and  proms  with  test  patterns  on  boards. 
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8.  Experience  of  One  UK  Electronic  Equipment  Supplier  with  BITE  on  Engine  Flight  Control  Systems  over  the  Past  Ten 
Years 

R.  de  Gave 

Dowty  Electronics  has  designed  controls  for  aircraft  since  1948.  A  brief  history  was  given  with  detailed  examples  from 
four  systems  —  the  Concorde  Olympus  593  engine,  the  RB2 1 1  engine  speed  limiter  for  the  Boeing  747,  the  BAe  wing  flaps 
controller,  and  RB2 1 1  engine  bleed  valve  controller  for  the  Boeing  757.  Each  of  these  systems  contains  BIT,  however,  since 
they  were  for  commercial  clients,  there  is  little  feedback  on  the  effectiveness  of  the  BIT. 

Session  II  —  Avionics  Hardware  Design  for  Testability 
ICA  C.Moreau,  Chairman 

9.  Built-In- Test  for  First  Line  Testing 
Geierand  W.Behm 

The  Tornado  aircraft  had  a  requirement  of  80%  defects  located  and  corrected.  This  specification  was  passed  on  to 
suppliers  to  implement,  however,  they  desired  both  analog  and  digital  systems.  After  60,000  hours,  it  has  been  found  that 
there  is  a  much  higher  false  alarm  rate  than  desired,  especially  in  the  avionics,  which  has  the  most  BIT.  It  appears  from 
studies  of  earlier  systems  that  80%  was  too  high  a  number  and  that  60%  defects  located  and  corrected  would  be  more 
realistic.  They  feel  that  the  problems  are  due  to  a  priority  conflict  between  performance  and  testability.  In  addition,  a 
problem  exists  with  the  BIT  reporting  methods,  and  the  lack  of  tests  for  the  BIT  itself.  One  should  study  the  life  cycle  costs  to 
determine  if  savings  during  operation  will  offset  the  costs  in  design  and  production  to  include  BIT  and  DFT. 

1 1 .  Functional  Built-In-  Test  in  a  Pipelined  Image  Processor 
H.A.  van  Ingen  Schenau,  A.Pleijsier,  and  A.Monkel 

A  pipelined  image  processor  is  described  which  can  use  predefined  test  patterns  for  functional  testing.  There  is  no 
automatic  inspection  of  the  test  patterns. 

1 2.  Built-In-Test  and  Self  Repair  Mechanisms  in  a  Digital  Correlator  Integrated  Circuit, 

W.S.BIackley,  M.A.Jack,  and  J.R.Jordan 

BIT  and  self  repair  have  been  included  in  a  VLSI  digital  correlator  for  yield  enhancement.  The  design  is  a  modular  bit- 
serial  with  near  neighbor  communications,  cascadable,  and  with  a  clock  rate  of  4  MHz.  Very  little  additional  design  or  silicon 
was  needed  to  implement  the  BIT.  A  yield  enhancement  factor  of  9  was  obtained  for  the  first  1 30  chips. 

Session  III  —  Experience  with  Avionics  Software  Maintainability 
W.Kuny,  Chairman 

1 5.  Maintainability  —  an  ILS  Effort  to  Manipulate  Life  Cycle  Costs 
M.  Boehm 

Maintainability  would  be  increased  with  an  increase  in  dialogue  between  contractors  and  the  military.  The  real  issue  is 
to  decrease  the  life  cycle  costs.  Most  of  the  decisions  affecting  this  are  made  early  in  the  design  phase,  while  most  of  the  costs 
(70%)  are  in  the  maintenance  phase.  This  dialogue  is  called  Riistungsrahmenerlass  in  Germany  and  has  been  formally  set  up 
for  all  phases  of  the  life  cycle. 

1 6.  The  Production  of  Maintainable,  Trustworthy,  and  Portable  Software 
E.S.Lee  and  R.C.Holt 

A  structured  approach  to  design  was  presented.  This  included  the  user  requirements  specification,  test  requirements 
specification,  function  specification,  detail  design  document,  coding,  and  test  and  acceptance.  The  development  of 
concurrent  Euclid  was  also  discussed. 

1 7.  Documentation  and  Separate  Test  Program  Development  is  Most  Important  for  Test/Maintenance 
B.Giismann  and  N.Sandner 

Software  development  requires  discipline,  control,  methods,  and  tools.  They  have  a  handbook  of  standards.  They  have 
implemented  a  configuration  management  system  on  UNIX,  based  on  SCCS.  Only  the  project  manager  has  ownership  of  the 
files.  Modules  may  be  checked  out  for  modification.  They  must  pass  the  software  control  board  before  being  checked  in 
again.  A  global  reference  system  flags  all  other  modules  referencing  the  changed  module.  For  the  LTR8 1  system,  after  two 
years  and  more  than  50,000  flight  hours,  no  software  or  mechanization  errors  have  been  found. 

1 8.  Effective  Life  Cycle  Software  Support 
G.H.  Smith 

The  US  Navy's  Pacific  Missile  Test  Center  has  set  up  a  very  rigid  structure  for  software  support  activity  (SSA).  A  SSA 
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team  is  set  up  for  each  system,  and  must  follow  explicit  guidelines. 

1 9.  Experience  in  Using  On-Aircraft  Software  For  Testing  Integrated  Systems 
K  Numberger 

The  software  used  for  testing  the  Tornado  has  two  separate  programs.  One  runs  in  flight  and  is  resident  with  the 
operational  operating  system.  It  uses  hexidecimal  code  output.  The  other  software  must  be  installed  on  the  ground  and  has 
language  coded  messages.  The  German  Air  Force  has  found  the  in-flight  tests  good  for  extending  the  BIT  (Go-NoGo) 
capability.  The  ground  tests  have  been  found  to  be  useful  as  an  overview  of  the  equipment  status  and  interface  links; 
however,  it  is  lengthy  to  run.  It  is  felt  that  with  increased  memory  capacity  in  the  future,  similar  ground  tests  will  not  be 
needed. 

Session  IV  —  Avionics  Software  Design  for  Maintainability 
L.Crovella,  Chairman 

20.  Software  Testing  in  an  Ada  Programming  Environment 
R.  Taylor 

Techniques  for  static  and  dynamic  analysis  of  software  were  discussed.  New  techniques  must  be  used  for  concurrent 
languages  such  as  Ada.  Debugging  in  a  host-target  environment  is  important  for  embedded  systems.  Several  environments 
have  been  developed  to  aid  the  software  designer. 

2 1 .  Investigating  Version  Dependence  in  Fault-Tolerant  Software 
R.K. Scott,  J.  W.Gault,  D.F. McAllister,  J.  Wiggs 

Reliability  models  are  needed  for  fault  tolerant  software.  Data  domain  models  for  N-Version,  recovery  block,  and 
concensus  recovery  block  approaches  are  proposed.  An  experiment  was  performed  which  verified  that  a  dependent  form  of 
the  model  for  the  recovery  block  could  predict  reliability.  The  dependency  was  thought  to  come  from  algorithmic  similarities 
and  a  difficulty  class. 

22.  The  Effect  on  Software  Design  of  Testing  by  Symbolic  Execution 
D.A.  Rutherford 

Symbolic  execution  can  be  used  to  validate  a  system.  The  cost  should  be  reduced  because  no  test  specifications  are 
needed,  fewer  documents  required,  fewer  tests  needed  to  provide  wide  coverage,  and  more  errors  found.  Problems  remain  in 
the  area  of  high-level  languages,  block  structures,  accuracy  of  timing  tests,  range  of  interpreters  needed,  and  limiting  the 
number  of  branch  paths. 

2  3 .  Reliable  Software  Design  for  A  vionics  and  Space  Applications 
G.Giannini  and  P.Donzelli 

Current  limitations  indicate  that  spaceborne  software  is  written  in  assembler  languages.  Low  power,  small  memories, 
and  high  reliability  are  required.  LABEN  has  developed  a  software  design  methodology  to  aid  in  the  development  of  such 
software. 

1 3.  Design  of  Self-Checking  N-MOS  (H-MOS)  Integrated  Circuits 
M.Nicolaidis  and  B.Courtois 

On-line  mission  and  off-line  after  mission  self-checking  techniques  are  described  for  NMOS  chips.  Very  detailed 
studies  of  precise  faults  are  described  and  methods  indicated  for  the  self  checking.  Specific  checkers  are  detailed. 

25.  A  Weapon  System  Design  Approach  to  Diagnostics 
G.  W.Neumann 

Many  techniques  exist  for  design  and  maintenance  of  weapons  systems.  These  are  being  incorporated  into  an  integrated 
diagnostic  package  to  maximize  the  effectiveness  of  the  individual  techniques.  Very  aggressive  goals  are  expected  from  this 
integration  and  demonstrations  are  currently  under  way. 

Session  V  —  Future  Avionics  Maintainability  Through  Hardware/Software  Co-Design 
D.Franke,  Chairman 

The  previous  sessions  centered  on  the  problems  and  possible  solutions  for  maintaining  avionics  hardware  and  software. 
The  final  session  looked  at  long-term  solutions,  including  the  co-design  of  hardware  and  software. 

26.  Hardware/Software  Co-Design  for  MaintainaMe  Systems 
G. A. Frank  and  D.A.Franke 

Software/hardware  co-design  can  be  used  to  reduce  the  life  cycle  costs  in  all  phases  of  the  system.  It  can  also  increase 
maintainability.  RTI  has  developed  a  methodology  for  co-design  and  is  writing  the  ADAS  (Architectural  Design  and 
Assessment  System)  to  implement  the  methodology. 


27.  Data  Simulated  On-line  Checking  (IROLED), 

M.Trautwein 

Residue  coding  techniques  are  used  for  a  microprogrammable  processor  using  IROLED  (Inverse  Residue  code  On- 
Line  Error  Detection).  Estimates  of  the  space  and  time  overheads  are  given. 

28.  Avionics  Fault  Tree  Analysis  and  Artificial  Intelligence  for  Future  Aircraft  Maintenance 
M.E.  Harris 

Expert  and  knowledge  based  systems  can  be  used  to  implement  a  microprocessor  based  test  system.  This  is  currently 
suitcase  sized  and  will  be  installed  on  board  aircraft  this  year.  With  the  system  on  board,  CND  faults  should  be  eliminated. 
This  can  lead  to  a  two-level  maintenance  program. 

29.  Automatic  Error  Detection  and  Recovery  Techniques  in  On-Board  Intelligent  Units  for  Space  and  A  vionics  Application 
R.Ranieri  and  R.RedaeUi 

Both  safety  and  fault  tolerance  are  necessary  in  space  borne  systems  with  high  autonomy.  Techniques  used  for  this 
which  incorporate  both  hardware  and  software  are  given. 
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